SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] semanage: handle getprotobyname() failure case
@ 2020-06-05  8:19 Topi Miettinen
  2020-06-08 16:18 ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Topi Miettinen @ 2020-06-05  8:19 UTC (permalink / raw)
  To: selinux; +Cc: Topi Miettinen

At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
v2: don't change audit log format
---
 python/semanage/seobject.py | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 6e0b87f2..6a14f7b4 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1870,10 +1870,22 @@ class nodeRecords(semanageRecords):
         except:
             raise ValueError(_("Unknown or missing protocol"))
 
-        return newaddr, newmask, newprotocol
+        try:
+            audit_protocol = socket.getprotobyname(protocol)
+        except:
+            # Entry for "ipv4" not found in /etc/protocols on (at
+            # least) Debian? To ensure audit log compatibility, let's
+            # use the same numeric value as Fedora: 4, which is
+            # actually understood by kernel as IP over IP.
+            if (protocol == "ipv4"):
+                audit_protocol = socket.IPPROTO_IPIP
+            else:
+                raise ValueError(_("Unknown or missing protocol"))
+
+        return newaddr, newmask, newprotocol, audit_protocol
 
     def __add(self, addr, mask, proto, serange, ctype):
-        addr, mask, proto = self.validate(addr, mask, proto)
+        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
 
         if is_mls_enabled == 1:
             if serange == "":
@@ -1942,7 +1954,7 @@ class nodeRecords(semanageRecords):
         semanage_node_key_free(k)
         semanage_node_free(node)
 
-        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
+        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", ctype, serange))
 
     def add(self, addr, mask, proto, serange, ctype):
         self.begin()
@@ -1950,7 +1962,7 @@ class nodeRecords(semanageRecords):
         self.commit()
 
     def __modify(self, addr, mask, proto, serange, setype):
-        addr, mask, proto = self.validate(addr, mask, proto)
+        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
 
         if serange == "" and setype == "":
             raise ValueError(_("Requires setype or serange"))
@@ -1987,7 +1999,7 @@ class nodeRecords(semanageRecords):
         semanage_node_key_free(k)
         semanage_node_free(node)
 
-        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
+        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", setype, serange))
 
     def modify(self, addr, mask, proto, serange, setype):
         self.begin()
@@ -1995,8 +2007,7 @@ class nodeRecords(semanageRecords):
         self.commit()
 
     def __delete(self, addr, mask, proto):
-
-        addr, mask, proto = self.validate(addr, mask, proto)
+        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
 
         (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
         if rc < 0:
@@ -2020,7 +2031,7 @@ class nodeRecords(semanageRecords):
 
         semanage_node_key_free(k)
 
-        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
+        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, audit_proto))
 
     def delete(self, addr, mask, proto):
         self.begin()
-- 
2.26.2


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] semanage: handle getprotobyname() failure case
  2020-06-05  8:19 [PATCH v2] semanage: handle getprotobyname() failure case Topi Miettinen
@ 2020-06-08 16:18 ` Stephen Smalley
  2020-06-22 12:22   ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2020-06-08 16:18 UTC (permalink / raw)
  To: Topi Miettinen, linux-audit; +Cc: SElinux list

On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> At least on Debian, /etc/protocols, which is used by
> socket.getprotobyname() to resolve protocols to names, does not
> contain an entry for "ipv4". In that case, set the protocol number
> used by audit logs for "ipv4" to a fixed value. To ensure audit log
> compatibility, let's use the same numeric value as Fedora: 4, which is
> actually understood by kernel as IP over IP.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

This looks fine to me but adding linux-audit mailing list to see if
they have any concerns.  It appears to make no change to the audit
messages on Fedora.

> ---
> v2: don't change audit log format
> ---
>  python/semanage/seobject.py | 27 +++++++++++++++++++--------
>  1 file changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index 6e0b87f2..6a14f7b4 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -1870,10 +1870,22 @@ class nodeRecords(semanageRecords):
>          except:
>              raise ValueError(_("Unknown or missing protocol"))
>
> -        return newaddr, newmask, newprotocol
> +        try:
> +            audit_protocol = socket.getprotobyname(protocol)
> +        except:
> +            # Entry for "ipv4" not found in /etc/protocols on (at
> +            # least) Debian? To ensure audit log compatibility, let's
> +            # use the same numeric value as Fedora: 4, which is
> +            # actually understood by kernel as IP over IP.
> +            if (protocol == "ipv4"):
> +                audit_protocol = socket.IPPROTO_IPIP
> +            else:
> +                raise ValueError(_("Unknown or missing protocol"))
> +
> +        return newaddr, newmask, newprotocol, audit_protocol
>
>      def __add(self, addr, mask, proto, serange, ctype):
> -        addr, mask, proto = self.validate(addr, mask, proto)
> +        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
>          if is_mls_enabled == 1:
>              if serange == "":
> @@ -1942,7 +1954,7 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>
> -        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
> +        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", ctype, serange))
>
>      def add(self, addr, mask, proto, serange, ctype):
>          self.begin()
> @@ -1950,7 +1962,7 @@ class nodeRecords(semanageRecords):
>          self.commit()
>
>      def __modify(self, addr, mask, proto, serange, setype):
> -        addr, mask, proto = self.validate(addr, mask, proto)
> +        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
>          if serange == "" and setype == "":
>              raise ValueError(_("Requires setype or serange"))
> @@ -1987,7 +1999,7 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>
> -        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
> +        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", setype, serange))
>
>      def modify(self, addr, mask, proto, serange, setype):
>          self.begin()
> @@ -1995,8 +2007,7 @@ class nodeRecords(semanageRecords):
>          self.commit()
>
>      def __delete(self, addr, mask, proto):
> -
> -        addr, mask, proto = self.validate(addr, mask, proto)
> +        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
>          (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
>          if rc < 0:
> @@ -2020,7 +2031,7 @@ class nodeRecords(semanageRecords):
>
>          semanage_node_key_free(k)
>
> -        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
> +        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, audit_proto))
>
>      def delete(self, addr, mask, proto):
>          self.begin()
> --
> 2.26.2
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] semanage: handle getprotobyname() failure case
  2020-06-08 16:18 ` Stephen Smalley
@ 2020-06-22 12:22   ` Stephen Smalley
  2020-06-25 17:30     ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2020-06-22 12:22 UTC (permalink / raw)
  To: Topi Miettinen, linux-audit; +Cc: SElinux list

On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> >
> > At least on Debian, /etc/protocols, which is used by
> > socket.getprotobyname() to resolve protocols to names, does not
> > contain an entry for "ipv4". In that case, set the protocol number
> > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > compatibility, let's use the same numeric value as Fedora: 4, which is
> > actually understood by kernel as IP over IP.
> >
> > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>
> This looks fine to me but adding linux-audit mailing list to see if
> they have any concerns.  It appears to make no change to the audit
> messages on Fedora.

Seeing no objections from linux-audit,

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] semanage: handle getprotobyname() failure case
  2020-06-22 12:22   ` Stephen Smalley
@ 2020-06-25 17:30     ` Stephen Smalley
  0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2020-06-25 17:30 UTC (permalink / raw)
  To: Topi Miettinen, linux-audit; +Cc: SElinux list

On Mon, Jun 22, 2020 at 8:22 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> > >
> > > At least on Debian, /etc/protocols, which is used by
> > > socket.getprotobyname() to resolve protocols to names, does not
> > > contain an entry for "ipv4". In that case, set the protocol number
> > > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > > compatibility, let's use the same numeric value as Fedora: 4, which is
> > > actually understood by kernel as IP over IP.
> > >
> > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> >
> > This looks fine to me but adding linux-audit mailing list to see if
> > they have any concerns.  It appears to make no change to the audit
> > messages on Fedora.
>
> Seeing no objections from linux-audit,
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-05  8:19 [PATCH v2] semanage: handle getprotobyname() failure case Topi Miettinen
2020-06-08 16:18 ` Stephen Smalley
2020-06-22 12:22   ` Stephen Smalley
2020-06-25 17:30     ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git